Device registration, authentication, and authorization system and method

ABSTRACT

A system includes one or more processors to receive a registration request, the registration request comprising a representation of a username and a password, verify the username and the password and transmit a one-time-use password, receive the one-time-use password and first device identifier information from a mobile computing device, receive an access request from the mobile computing device comprising the representation of the username and the password, second device identifier information, and application key information, verify the username, the password, the second device identifier information, and the application key information, and transmit a token to the mobile computing device, and receive a resource request from the mobile computing device comprising the token and third device identifier information.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of and claims the benefit of priorityfrom U.S. patent application Ser. No. 14/320,179, filed Jun. 30, 2014,entitled “Device Registration, Authentication, and Authorization Systemand Method,” the entire contents of which are fully incorporated byreference herein for all purposes. Application Ser. No. 14/320,179claims the benefit of priority from U.S. Provisional Application No.61/979,809, filed Apr. 15, 2014, entitled “Device Registration,Authentication, and Authorization System and Method,” the entirecontents of which are fully incorporated by reference herein for allpurposes.

TECHNICAL FIELD

The present disclosure generally relates to bring-your-own-device (BYOD)systems and methods. In particular, the embodiments relate to systemsand methods for registration, authentication, and authorization ofcomputing devices with a server having access to network resources, anddistribution of tokens to the computing devices. The server transmitsrepresentations of requested resources to computing devices having validtokens.

BACKGROUND

In order to provide flexible work environments, many employers andassociated information technology (IT) departments are providing remotenetwork access to employees. In addition, the employers often allowemployees to connect their personal computing devices to the company'snetwork and access network resources. However, when an employee leaves acompany or loses a computing device, the company may want to terminateaccess for the computing device to the company network and resourcesprovided by the company network. Conventional methods of terminatingaccess to the computing device are overly restrictive and destructive ofpersonal data on the computing device.

As an example, a commercial product may provide mobile device management(MDM) for enterprises. An employee of an employer utilizing thecommercial product for MDM of a personal mobile computing device mayaccidentally leave the mobile computing device on an airplane. Inanother situation, the employee may accept a new position with anotheremployer. This mobile computing device may have personal data includingpersonal photographs, videos, email, and applications and employerrelated data including emails, applications, and documents containingconfidential employer information. The mobile computing device also mayprovide access to employer networks.

Conventionally, based on current limitations and/or security policies,the IT department of the employer may have no choice but to remotelydelete/wipe all data from the mobile computing device and/or perform afactory reset of the mobile computing device. In another case, theemployer may remotely lock the mobile computing device. While thisprovides security for the employer, this presents challenges for theemployee. The employee or former employee may not have access to thepersonal mobile computing device. In other situations, in the event thatthe employee does not backup the personal data on the personal mobilecomputing device, the employee or former employee may lose the personaldata. The IT department of the employer may also have to disable accessto an employer related application for all employees.

SUMMARY

Briefly described, and according to one embodiment, aspects of thepresent disclosure generally relate to bring-your-own-device (BYOD)systems and methods. In one aspect, a server registers, authenticates,and authorizes a computing device to access network resources. Theaccess may be based on multiple factors including a username, apassword, application key information, and device identifierinformation. In an initial request, the computing device sends ausername, password, application key information, and device identifierinformation to the server. The server may verify the validity of theusername, password, and the application key information and store thedevice identifier information in a database. The server may provide thecomputing device with a token for accessing the network resources. Insubsequent requests, the computing device sends the token and deviceidentifier information to the server and the server verifies thevalidity of the token and the device identifier information. The servertransmits representations of requested resources to computing deviceshaving valid tokens and valid device identifier information.

According to one aspect, a system includes at least one processor toreceive a registration request, the registration request comprising arepresentation of a username and a password, verify the username and thepassword and transmit a one-time-use password, receive the one-time-usepassword and first device identifier information from a mobile computingdevice, receive an access request from the mobile computing devicecomprising the representation of the username and the password, seconddevice identifier information, and application key information, verifythe username, the password, the second device identifier information,and the application key information, and transmit a token to the mobilecomputing device, and receive a resource request from the mobilecomputing device comprising the token and third device identifierinformation.

According to another aspect, a method includes receiving, by at leastone processor, a registration request, the registration requestcomprising a representation of a username and a password, verifying, byat least one processor, the username and the password and transmitting aone-time-use password, receiving, by the at least one processor, theone-time-use password and first device identifier information from amobile computing device, receiving, by the at least one processor, anaccess request from the mobile computing device comprising therepresentation of the username and the password, second deviceidentifier information, and application key information, verifying, bythe at least one processor, the username, the password, the seconddevice identifier information, and the application key information, andtransmitting a token to the mobile computing device, and receiving, bythe at least one processor, a resource request from the mobile computingdevice comprising the token and third device identifier information.

According to an additional aspect, a non-transitory computer-readablemedium includes instructions stored thereon that, when executed by atleast one processor, cause the at least one processor to performoperations comprising receiving a registration request, the registrationrequest comprising a representation of a username and a password,verifying the username and the password and transmitting a one-time-usepassword, receiving the one-time-use password and first deviceidentifier information from a mobile computing device, receiving anaccess request from the mobile computing device comprising therepresentation of the username and the password, second deviceidentifier information, and application key information, verifying theusername, the password, the second device identifier information, andthe application key information, and transmitting a token to the mobilecomputing device, and receiving a resource request from the mobilecomputing device comprising the token and third device identifierinformation.

These and other aspects, features, and benefits of the presentdisclosure will become apparent from the following detailed writtendescription of the preferred embodiments and aspects taken inconjunction with the following drawings, although variations andmodifications thereto may be effected without departing from the spiritand scope of the novel concepts of the disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a computing device registration,authentication and authorization (RAA) system according to an exampleembodiment.

FIG. 2A is a block diagram of a mobile computing device according to anexample embodiment.

FIG. 2B is a block diagram of an RAA server according to an exampleembodiment.

FIG. 3 is a flowchart illustrating a method for registering,authenticating, and authorizing the mobile computing device according toan example embodiment.

FIG. 4 is a diagram illustrating an example of a computing system whichmay be used in implementing embodiments of the present disclosure.

DETAILED DESCRIPTION

Traditionally, employers provided employees with computing devices foruse in the workplace, and did not allow the computing devices to leavethe premises. The employers controlled what hardware and software wasallowed for use with network resources by limiting network access toapproved hardware and software. Some employers then began to allowemployees to utilize employer-provided mobile computing devices andaccess network resources remotely. However, many employers are no longerselecting computing devices for their employees and let their employeeschoose their own computing devices including computers, smartphones, andtablets. Many employers are now providing bring your own device (BYOD)programs whereby employers allow employees access to corporate networkresources from anywhere including at the workplace and at remotelocations, e.g., at home, in coffee shops, in airports, and in hotelrooms, among other locations. While this may be desirable from anemployee perspective and even an employer perspective, this potentiallyleaves the corporate network resources at risk and complicates the taskof the securing the corporate network resources. If an employee leavesan employer or a mobile computing device is lost, stolen and/orcompromised, many employers delete or wipe all data stored in memory onthe employee-owned mobile computing device. This is undesirable. Someemployers would prefer to be more accommodating. However, currentoptions do not provide solutions.

Aspects of the present disclosure involve systems, methods, computerprogram products, and the like, for registering a computing device,authenticating the computing device, and authorizing the computingdevice. The systems, methods, and computer program products comprise asecurity harness for network resources accessible on a communicationsnetwork. First, a computing device is registered to use and accessnetwork resources by storing device identifier information in adatabase. After the computing device is registered, the computing devicetransmits a username, a password, application key information, anddevice identifier information for validation by a server. If the servervalidates the username, the password, the application key information,and the device identifier information, the server generates a tokenhaving a time-to-live or an expiration time to the computing device.After receiving the token, the computing device may send a request fornetwork resources including the token and the device identifierinformation. The server receives the request and the token, verifiesthat the token and the device identifier information are valid, findsthe network resources, and transmits a representation of the networkresources to the computing device. In the event that the computingdevice is lost, stolen, or otherwise compromised, the token may bedisabled and/or the device identifier information may be deleted fromthe database, disabling the computing device from requesting networkresources for a specific application. An administrator may manually markthe computing device as inactive in a database or may disable thecomputing device by using a web-based management portal hosted by theserver. In another example, the device identifier information may bedeleted or removed from the database by using the web-based managementportal. If the computing device is inactive and does not make anyrequest for network resources for a particular period of time, e.g.,twelve months or some other configurable parameter, the deviceidentifier information may be automatically removed or deleted from thedatabase.

The security harness may disable a specific application on a specificcomputing device without modifying any other data in memory on thecomputing device. If the user chooses to delete the specificapplication, the computing device may notify the administrator and/orthe database. As an example, the administrator may receive anotification via the web-based management portal. The administrator maymanually mark the computing device as inactive in the database or maydisable the computing device by using the web-based management portal.The administrator also may delete or remove the device identifierinformation from the database. As another variant, the device identifierinformation may be automatically removed or deleted from the database.

Further, in one particular implementation, employees use their owncomputing devices to access network resources provided by an employer. Aserver verifies an entity's identity and determines what networkresources an authenticated entity is allowed to access, e.g., read,write, and/or modify. According to an example embodiment, an entity isauthenticated using multi-factor authentication. The embodimentsdescribed herein are further based on Oauth, an open standard forauthorization. In particular, the embodiments are related to Oauth 2.0.While discussed in the context of Oauth, the present disclosure is notlimited to Oauth.

As an example, when a user first uses a mobile computing device andopens an application that requests access to network resources, theapplication transmits a request for access to a network server. Thenetwork server determines that this mobile computing device has not yetbeen granted access to network resources. Before access is provided, themobile computing device is registered. The server generates aone-time-use password (OTP) or other password and transmits theone-time-use password to the user via email and/or text message, amongother methods. The user receives the one-time-use password and transmitsthe one-time-use password to the server along with a device identifierthat is a universally unique identifier for identifying this particularmobile computing device. The server verifies that the one-time-usepassword is correct and stores the device identifier in a memory.

Now that the mobile computing device is registered, the user andassociated mobile computing device may obtain access to the networkresources. Using the application, the user inputs a username andpassword and the application transmits a representation of the usernameand password in addition to other information to the server. The otherinformation may include application key information including anapplication key that represents a unique identifier for the applicationand an application key secret. The other information may further includedevice identifier information including a representation of a deviceidentifier and a device identifier secret. The server receives thisinformation and verifies that the username and password, the applicationkey information, and the device identifier information are valid. Ifthis information is valid, the server generates a token that may have atime-to-live or expiration time, e.g., two hours. The server transmitsthis token to the mobile computing device. Upon receipt of this token,the mobile computing device may access the network resources. The mobilecomputing device transmits a request to the server with the token andthe device identifier information. The server verifies that the tokenand the device identifier is valid, obtains the network resources from amemory or database and transmits a representation of the networkresources to the mobile computing device.

FIG. 1 illustrates a block diagram of a computing device registration,authentication, and authorization (RAA) system 100 according to anexample embodiment. According to an aspect of the disclosure, the RAAsystem 100 includes one or more mobile computing devices 102. The RAAsystem 100 further comprises one or more firewalls 104, one or more RAAservers 106, one or more databases 108, and a communication network 110.The RAA system 100 includes one or more computers that communicate usingthe communication network 110. The one or more computers communicate andcoordinate their actions by passing messages over the communicationnetwork 110. The network can be the Internet, an intranet, a cellularcommunications network, a WiFi network, a packet network, or anotherwired or wireless communication network. As an example, the one or morecomputers communicate data in packets, messages, or other communicationsusing a common protocol, e.g., Hypertext Transfer Protocol (HTTP) and/orHypertext Transfer Protocol Secure (HTTPS). As an example, the RAAsystem 100 may be a cloud-based computer system.

The firewall 104 receives requests from the one or more mobile computingdevices 102 and routes the requests to the one or more RAA servers 106.The firewall 104 may be a software and/or hardware-based networksecurity system that controls the incoming and outgoing network trafficby analyzing the requests and determining whether the requests should beallowed or not allowed, based on a rule set. In one exemplaryembodiment, the firewall 104 is a Netscaler application deliverycontroller providing load balancing for requests, network scalability,RAA system 100 monitoring, and management features.

The one or more databases 108 comprise an organized collection of data.The data may include one or more tables comprising username and passwordinformation, device identification information, application informationincluding application key information, and token information, amongother information. The username and password information may be storedin a lightweight directory access protocol (LDAP) database, e.g., anActive Directory store. The device identification information mayinclude a device identifier and a device identifier secret for eachdevice and an associated username. The device identifier may comprise adevice fingerprint uniquely representing the device. The applicationinformation may include an application key and an application key secretfor each application providing access to network resources. Theapplication key may comprise an application fingerprint uniquelyrepresenting the application. The application information may be storedin an OpenDS directory server, e.g., a network-accessible database thatstores information in a hierarchical form.

In one embodiment, the data in the one or more databases 108 also mayinclude one or more tables comprising network resources requested by themobile computing device 102. In another embodiment, the networkresources requested by the mobile computing device 102 may be stored inanother database or other network addressable location, service, memory,or computer.

FIG. 2A illustrates a block diagram of a mobile computing device 102according to an example embodiment. According to an aspect of thepresent disclosure, the mobile computing device is a computer having aprocessor 202 and memory including but not limited to a laptop, desktop,tablet computer, mobile computing device (e.g., a smartphone) or adedicated electronic device having a processor and memory. The mobilecomputing device 102 includes one or more processors 202 to processmachine/computer-readable executable instructions and data and memory tostore machine/computer-readable executable instructions and dataincluding one or more applications 206. The processor 202 and memory arehardware. The memory includes random access memory (RAM) andnon-transitory memory, e.g., one or more flash disks or hard drives. Thenon-transitory memory may include any tangible computer-readable mediumincluding, for example, magnetic and/or optical disks, flash drives, andthe like.

The mobile computing device 102 includes computer readable media (CRM)204 on which the one or more applications 206 are stored. The computerreadable media 204 may include volatile media, nonvolatile media,removable media, non-removable media, and/or another available mediumthat can be accessed by the processor. By way of example and notlimitation, the computer readable media comprises computer storage mediaand communication media. Computer storage media includes non-transitorymemory, volatile media, nonvolatile media, removable media, and/ornon-removable media implemented in a method or technology for storage ofinformation, such as computer/machine-readable/executable instructions,data structures, program modules, or other data. Communication media mayembody computer/machine-readable/executable instructions, datastructures, program modules, or other data and include an informationdelivery media or system.

The application 206 may be any application executable by the mobilecomputing device 102, e.g., a single unit of deployable executable code.In one example, the application 206 is an application provided by anemployer and/or network resource manager such as an IT department. Theapplication 206 may be an email client, a ticket management application,a sales application, a word processing application, a spreadsheetapplication, and other applications. The application 206 may requestnetwork resources comprising ticket management information, salesinformation, word processing information, spreadsheet information, andother information from the one or more databases 108. The application206 may be downloaded from digital distribution platforms, e.g., the AppStore and/or GOOGLE PLAY™, among others. The application 206communicates messages with the RAA server 106. As an example, theapplication 206 is a web-based application viewed in a browser on themobile computing device and/or a native application executed by themobile computing device 102.

The application 206 includes a user interface module 208 to provide auser interface on a display of the mobile computing device 102. Theapplication 206 further includes a username module 210 to receive ausername and a password as input and transmit a representation of theusername and the password to the RAA server 106 using hypertexttransport protocol secure (HTTPS) and/or other protocols. The usernameand password may be encrypted using secure sockets layer (SSL) and/orother encryption protocols. The application also includes an applicationkey module 212 to obtain an application key and an application keysecret from the application 204 and transmit the application key and theapplication key secret to the RAA server. In one example, theapplication key and the application key secret may be embedded in sourcecode, object code, and/or machine code of the application 206. Theapplication key and the application key secret may be encrypted using acryptographic hash function (e.g., SHA-1, MD5) to determine a hash-basedmessage authentication code (HMAC) (Hash-based message authenticationcode). This cryptographic hash function allows the application key andthe application key secret to be verified and authenticated. The outputof the cryptographic hash function is a binary string (or opaque binaryblob (OBB)) that may be encoded using Base64.

The application also includes a device identification module 214 toobtain a device identifier and a device identifier secret from themobile computing device 102 and transmit the device identifier and thedevice identifier secret to the RAA server 106. The deviceidentification module 214 may obtain the device identifier and thedevice identifier secret using an application programming interface(API) provided by an operating system of the mobile computing device102. The device identifier and the device identifier secret may beencrypted using a cryptographic hash function (e.g., SHA-1, MD5) todetermine a hash-based message authentication code (HMAC) (Hash-basedmessage authentication code). The cryptographic hash function allows thedevice identifier and the device identifier secret to be verified andauthenticated. The output of the cryptographic hash function is a binarystring that may be encoded using Base64.

The application 204 also includes a token module 216 to receive a tokenfrom the RAA server 106 and store the token in memory. In addition, theapplication 206 includes a resource module 218 to request resources fromthe RAA server 106. The request may be a representational state transfer(REST) and/or a Simple Object Access Protocol (SOAP) request sent to theRAA server that identifies particular resources. As an example, therequest may be a uniform resource locator (URL) comprisinghttp://www.exampletickets.com/getAllTicketsxml&ApplicationKey=coolapp&ApplicationKeySecret=1234&DeviceIdentifier=myPhone&DeviceIdentifierSecret=6789&Token=abcd.This request may be a request for all tickets associated with the ticketmanagement application and may be formatted according to a format of aticket management application programming interface (API). The requestis received by the RAA server 106. The RAA server 106 determines whatresources are associated and identified with the request (e.g., alltickets associated with the ticket management application) and the RAAserver 106 transmits a REST and/or SOAP response of a representation ofthe resources as Javascript Object Notation (JSON) and/or ExtensibleMarkup Language (XML). When requesting resources, the resource module218 transmits the token and the device identifier information to the RAAserver 106. If the token is valid and the device identifier informationis valid and the token is associated with the device identifierinformation, the RAA server 106 transmits a representation of therequested resources to the resource module 218 and the resource module218 provides the representation of the requested resources to the userinterface module 208 for display and interaction.

The mobile computing device 102 further includes a display 220 and aninput device 222. The display 220 is used to display visual componentsof the application 206, such as at a user interface provided by the userinterface module 208. In one example, the user interface may display therepresentation of the requested resources received by the resourcemodule 218, e.g., a list of all tickets associated with the ticketmanagement application and information associated with each ticket. Thedisplay 220 can include a cathode-ray tube display, a liquid-crystaldisplay, a light-emitting diode display, a touch screen display, andother displays. The input device 222 is used to interact with theapplication 206 and may include a mouse, a keyboard, a trackpad, and/orthe like. The input device 222 may be included within the display 220 ifthe display is a touch screen display. The input device 222 allows auser of the mobile computing device 102 to manipulate the representationof the requested resources received by the resource module 218.

Before the RAA server 106 provides access to resources in the database108, the user and/or an administrator may register the application 206for use by the mobile computing device 102. When the application 206 islaunched for the first time, or in another situation, the application206 may request access to the resources in the database 108 or inanother location. In one example, the application 206 may ask for userapproval before requesting access and indicates that registration,authentication, and authorization of the user, mobile computing device102, and the application 206 is in process via the user interface module208. In another example, the application 206 does not indicate thatregistration, authentication, and authorization of the user, mobilecomputing device 102, and the application 206 is in process, but theprocess may take place “behind the scenes” without user intervention.The application 206 may be registered using a web browser and/or withinthe application itself via the user interface module 208.

In cooperation with the username module 210, the application key module212, and the device identification module 214, the web browser and/orthe user interface module 208 provides an interface that a user may useto register the application 206. In one example, the process may beginin the application 206, and the application 206 may open the web browserfor another aspect of the process. The process may conclude in theapplication 206 or the web browser may close or transition back to theapplication 206. In another example, the mobile computing device 102 mayopen a web browser and using the web browser, the user may select theapplication from a list of applications. In other words, the application206 transmits the registration request to the RAA server 106 and/or theweb browser transmits the registration request on behalf of theapplication to the RAA server 106.

FIG. 2B illustrates a block diagram of the RAA server 106 according toan example embodiment. According to an aspect of the present disclosure,the RAA server 106 is a computer having a processor 224 and memory. TheRAA server 102 may be, for example, a laptop, a desktop, a server, atablet computer, a mobile computing device (e.g., a smartphone) or adedicated electronic device having a processor and memory. In anexemplary embodiment, the RAA server 106 comprises a hardware gatewayrunning Intel Expressway, e.g., a software system or appliance to exposenetwork services and resources to client computing devices such as theone or more mobile computing devices 102. The RAA server 106 includesone or more processors 224 to process data and memory to storemachine/computer-readable executable instructions and data including anRAA application. The processor and memory are hardware. The memoryincludes random access memory (RAM) and non-transitory memory, e.g., oneor more hard disks. The non-transitory memory may include any tangiblecomputer-readable medium including, for example, magnetic and/or opticaldisks, flash drives, and the like. The data associated with the RAAapplication, username and password information, application keyinformation, device identification information, and token informationmay be stored in a structured query language (SQL) server database, anopen source distributed database management system such as a Not onlySQL (NoSQL) database management system (e.g., Apache Cassandra), oranother appropriate database management system the within memory. As anexample, the data may be stored in the database 108. Additionally, thememory may also include a dedicated file server having one or morededicated processors, random access memory (RAM), a Redundant Array ofInexpensive Disks hard drive configuration, an Ethernet interface orother communication interface, and a server-based operating system.

The RAA application may be a software application for registering,authenticating, and authorizing computing devices to use and accessnetwork resources. The RAA application comprisesmachine/computer-readable executable instructions that are executed bythe processor 224 or another processor. The RAA application has accessto the username and password information, application key information,device identifier information, and the token information that may bestored within the memory and/or the database 108. As an example, the RAAapplication may be stored in non-transitory memory. The RAA server 106includes computer readable media 226 on which the RAA application 228 isstored. The computer readable media 226 may include volatile media,nonvolatile media, removable media, non-removable media, and/or anotheravailable medium that can be accessed by the processor. By way ofexample and not limitation, the computer readable media comprisescomputer storage media and communication media. Computer storage mediaincludes non-transitory memory, volatile media, nonvolatile media,removable media, and/or non-removable media implemented in a method ortechnology for storage of information, such ascomputer/machine-readable/executable instructions, data structures,program modules, or other data. Communication media may embodycomputer/machine-readable/executable instructions, data structures,program modules, or other data and include an information delivery mediaor system.

The RAA application 228 includes a server user interface module 230 forreceiving requests from mobile computing devices 102 and transmittinguser interface information to the mobile computing devices 102. Inaddition, the RAA application 228 includes a routing module 232 toreceive a request from a mobile computing device 102 and obtaininformation from the database 108 to verify that the request is a validrequest. The routing module may temporarily store request information ina routing cache and/or a routing storage. The routing cache and/orrouting storage may be stored in memory and/or the database 108. The RAAapplication 228 further includes a one-time-use password (OTP) module234 to generate a one-time-use password and store the one-time-usepassword in the memory and/or the database 108. The one-time-usepassword may have a limited time that it is valid, e.g., twenty minutes,and may only be used once to register a mobile computing device 102. TheRAA application 228 further includes a mobile computing deviceregistration module 236 to receive requests from new and/or unknownmobile computing devices and transmit a generated one-time-use passworddirectly to the application 206. The server user interface module 230may transmit mobile computing device user interface information togenerate an OTP user interface to receive entry of theone-time-user-password. The mobile computing device registration module236 may transmit the one-time-user password via email and text message,among others. The mobile computing device registration module 236receives a username and a password and verifies that the username andpassword are valid using the one or more tables in the database 108. Inaddition, the mobile computing device registration module 236 receivesthe device identifier information including the device identifier andthe device identifier secret and the generated one-time-use password.The mobile computing device registration module 236 verifies that theone-time-use password is valid using the one or more tables in thedatabase 108 and stores the device identifier information as firstidentifier information in the memory and/or the database 108.

Generally, various element of the RAA application are described as beingimplemented as various computing modules, which may involve a pluralityof computer instructions being executed by a computing element or storedon a non-transitory media, and configured to perform the variousoperations of the system. While these modules are described as distinctoperational blocks, it should be recognized that these operations may becombined and/or separated depending on the requirements of anyparticular implementation.

In response to a request from a registered mobile computing device, amobile computing device authentication and authorization module 238receives a username, a password, the device identifier information, andapplication key information and verifies that this information is valid.The device identifier information may include a representation of thedevice identifier and the device identifier secret and may be secondidentifier information. In addition, the application key information mayinclude a representation of the application key and the application keysecret. The database 108 includes a copy of each application key andapplication key secret associated with access to network resources andeach device identifier and device identifier secret associated withaccess to network resources. The mobile computing device authenticationand authorization module 238 queries the corresponding application keyand the application key secret in the database, and performs thecryptographic hash function performed by the mobile computing device102. In addition, the mobile computing device authentication andauthorization module 238 queries the corresponding device identifier andthe device identifier secret in the database, and performs thecryptographic hash function performed by the mobile computing device102. The output of the cryptographic hash function is a binary stringthat may be encoded using Base64. The mobile computing deviceauthentication and authorization module 238 determines whether thebinary string representing the application key information and thebinary string representing the device identifier information sent by themobile computing device 102 matches the binary string representing theapplication key information and the binary string representing thedevice identifier information determined by the mobile computing deviceauthentication and authorization module 238.

In other words, the mobile computing device 102 transmits a username, apassword, application key information, and the device identifierinformation to the RAA server 106 using HTTP digest authentication. Inone example, the application key information is a first applicationhash-based message authentication code and the device identifierinformation is a first device hash-based message authentication code.The username and password may be received in a first digest, the firstapplication hash-based message authentication code may be received in asecond digest, and the first device hash-based message authenticationcode may be received in a third digest. The RAA server 106 verifies thatthe username, the password, the application key information, and thedevice identifier information are valid.

The RAA server 106 locates a corresponding application key andapplication key secret in the database 108 and performs thecryptographic hash function on the application key and the applicationkey secret to obtain a second application hash-based messageauthentication code. The RAA server 106 also locates a correspondingdevice identifier and device identifier secret in the database 108 andperforms the cryptographic hash function on the device identifier andthe device identifier secret to obtain a second device hash-basedmessage authentication code. The RAA server 106 compares the firstapplication hash-based message authentication code with the secondapplication hash-based message authentication code and compares thefirst device hash-based message authentication code with the seconddevice hash-based message authentication code to determine validity.

If this information is valid, a token generation module 240 generates atoken having a time to live or expiration time, e.g., two hours, andtransmits the token to the mobile computing device 102. The token and/ortoken information representing the token is stored in the memory and/orthe database 108. A service module 242 receives a REST and/or SOAPrequest from a registered mobile computing device and a token, andverifies that the token is valid using the token and/or the tokeninformation in the database 108. The service module 242 may also receivethe device identifier information as third device identifier informationand verify that the device identifier information is valid and that thetoken is associated with the device identifier information. In otherwords, it may not be possible to use a valid token unless the token isassociated with the mobile computing device and its associated deviceidentifier information. The service module 242 determines what resourcesare associated and identified with the request and where the resourcesare located on the communication network 110. The service module 242transmits a REST and/or SOAP response of a representation of theresources as Javascript Object Notation (JSON) and/or Extensible MarkupLanguage (XML).

According to an example embodiment, the application key grants theapplication 206 specific access to particular network resources. Thenetwork resources may comprise a first resource, a second resource, anda third resource. If the application 206 uses information from the firstresource but not the second resource or the third resource, theapplication key only grants access to the first resource. Theapplication key does not grant access to the second resource or thethird resource. In another case, the device identifier grants the devicespecific access to particular network resources. If the user of themobile computing device 102 uses information from the first resource butnot the second resource or the third resource, the device identifieronly grants access to the first resource.

The application key is a string or code that identifies the application,its developer, and/or its user. The application key secret is also astring or code that identifies the application, its developer, and/orits user. The application key and the application key secret may beviewed similarly to a username/password pair. The device identifier is astring or code that uniquely identifies the device. The deviceidentifier secret is also a string or code that uniquely identifies thedevice. The device identifier and the device identifier secret may alsobe viewed similarly to a username/password pair. The RAA server 106 mayrevoke a token and/or delete device identifier information from thedatabase providing the resource owner and user greater control andflexibility in granting access. In one embodiment, an administrator maymanually mark the device identifier as inactive in the database 108 ormay disable the device identifier by using a web-based management portalprovided by the RAA server 106, e.g., a security harness. In anotherexample, the device identifier information and/or an associated tokenmay be deleted, revoked, or removed from the database 108. In an evenfurther example, an associated token may be disabled and/or expiredusing the web-based management portal. The associated token time-to-livealso may be adjusted and/or lowered using the web-based managementportal. If the mobile computing device 102 is inactive and does not makeany request for network resources for a particular period of time, e.g.,twelve months, the RAA server 106 may automatically remove or delete thedevice identifier information from the database 108. In another example,the administrator may receive a notification via the web-basedmanagement portal indicating that the device identifier informationand/or the associated token may be removed or deleted from the database108.

If a device identifier is marked as inactive and/or the deviceidentifier is deleted from the database, when the mobile computingdevice 102 launches the application 206, the application 206 may displayan error message on the display 220. In the alternative, the application206 may display a user interface of the application on the display 220but the application 206 may not have any access to data to populate theuser interface. The application 206 executed by the mobile computingdevice 102 may be denied access to network resources by the RAA server106.

In the event that an employee deletes the application 206 from themobile computing device 102, the mobile computing device 102 may deleteconfidential information associated with the application, theapplication key, and the application key secret from the mobilecomputing device 102. However, the application key and the applicationkey secret may not be deleted from the database 108. Additionally, ifthe employee deletes the application 206 from the mobile computingdevice 102, the mobile computing device 102 may delete the token fromthe mobile computing device 102. In some situations, when theapplication 206 is deleted from the mobile computing device 102, themobile computing device 102 deletes the device identifier and the deviceidentifier secret. However, if the employee deletes the application 206from the mobile computing device 102, the associated device identifierand the device identifier secret may not be deleted from the database108. It is possible that the employee may reinstall the application 206at a later date.

An example table stored in the database 108 is shown below in Table 1.

TABLE 1 device application application device identifier Usernamepassword key key secret identifier secret token Jack 1234abcDwordprocessor 11111 jacksphone jackssecret abcd1234 (A) (A) Diane5678wxyZ spreadsheet 22222 dianesphone dianessecret 1234abcd (I) (E) Bob8675309 email 33333 bobstablet bobssecret ab12cd34 (D) (E)As shown in Table 1, “jacksphone” is denoted as active by the (A), e.g.,owned by an employee of an employer and currently in use. “dianesphone”is denoted as inactive by the (I). The mobile computing device havingthe device identifier of “dianesphone” may be misplaced, e.g.,temporarily lost but owned by an employee of an employer. “bobstablet”(is denoted as being deleted by the (D), e.g., decommissioned or nolonger in use. The mobile computing device having the device identifierof “bobstablet” may be owned by an employee that has left an employer.The mobile computing device having the device identifier of “jacksphone”may be granted access to network resources. The mobile computing devicehaving the device identifier of “dianesphone” may not be granted accessto network resources. Although “dianesphone” may not have access tonetwork resources associated with the application having the applicationkey represented by “spreadsheet,” “dianesphone” may have access to otherapplications such as personal applications and network resourcesassociated with the personal applications. In the event that this mobilecomputing device is found, the mobile computing device will have accessto at least the personal applications and the network resourcesassociated with the personal applications. The mobile computing devicehaving the device identifier of “bobstablet” may not be granted accessto network resources. “bobstablet” may have access to other applicationssuch as personal applications and network resources associated with thepersonal applications. The token “1234abcd” associated with jacksphoneis denoted as active by the (A). The token “1234abcd” associated withdianesphone is denoted as expired by the (E). The token “ab12cd34”associated with bobstablet is denoted as expired by the (E).

FIG. 3 is a flowchart of a process 300 for registering, authenticating,and authorizing the mobile computing device 102 according to an exampleembodiment. The process 300 shown in FIG. 3 begins in step 302.

In step 302, the mobile computing device 102 opens the application andtransmits a registration request to the RAA server 106. In anotherexample, the mobile computing device 102 may open a web browser andusing the web browser, the user may select the application from a listof applications. In other words, the application transmits theregistration request to the RAA server 106 and/or the web browsertransmits the registration request on behalf of the application to theRAA server 106. The registration request may include a representation ofa username and a password. In step 304, the RAA application 228 of theRAA server 106 receives the registration request, generates aone-time-use password, and transmits the one-time-use password to themobile computing device 102. The RAA application 228 of the RAA server106 may verify the username and the password before transmitting theone-time-use-password to the mobile computing device 102. In step 306,the mobile computing device 102 receives the one-time-use password anddetermines device identifier information. The mobile computing device102 transmits the one-time-use password and the device identifierinformation, e.g., first device identifier information, in addition to arepresentation of a username and a password to the RAA server 106. TheRAA server 106 verifies that the username, the password, and theone-time-use password are valid and stores the device identifierinformation in the database 108.

In step 308, the mobile computing device 102 transmits therepresentation of the username, the password, application keyinformation, and the device identifier information to the RAA server106. In step 308, the device identifier information is second deviceidentifier information. In one example, the application key informationis a first application hash-based message authentication code and thedevice identifier information is a first device hash-based messageauthentication code. In step 310, the RAA server 106 verifies that theusername, the password, the application key information, and the deviceidentifier information are valid. The RAA server 106 locates acorresponding application key and application key secret and performsthe cryptographic hash function on the application key and theapplication key secret to obtain a second application hash-based messageauthentication code. The RAA server 106 also locates a correspondingdevice identifier and device identifier secret and performs thecryptographic hash function on the device identifier and the deviceidentifier secret to obtain a second device hash-based messageauthentication code. The RAA server 106 compares the first applicationhash-based message authentication code with the second applicationhash-based message authentication code and compares the first devicehash-based message authentication code with the second device hash-basedmessage authentication code to determine validity. If the three securityfactors comprising the (1) username and the password, (2) theapplication key information, and (3) the device identifier informationare valid, in step 312, the RAA server 106 generates a token andtransmits the token to the mobile computing device 102. The token mayhave an expiration time or a time-to-live.

In step 314, the mobile computing device 102 receives the token andstores the token in memory. In step 316, the mobile computing device 102transmits the token, the device identifier information, and a resourcerequest to the RAA server 106. In step 316, the device identifierinformation is third device identifier information. In step 318, the RAAserver 106 verifies that the token and the third device identifierinformation are valid, requests resource data from a network datasourceconnected to the communication network 110, e.g., the database 108, andtransmits a representation of the resource data to the mobile computingdevice 102. The mobile computing device 102 receives the representationof the resource data and optionally displays the representation of theresource data in the user interface on the display 220. The third deviceidentifier information is a first device hash-based messageauthentication code. The RAA server 106 locates a corresponding deviceidentifier and device identifier secret and performs the cryptographichash function on the device identifier and the device identifier secretto obtain a second device hash-based message authentication code. Instep 318, the RAA server 106 compares the first device hash-basedmessage authentication code with the second device hash-based messageauthentication code to determine validity of the third device identifierinformation.

According to an exemplary embodiment, each mobile computing devicedeemed to have access to the network resources has a unique deviceidentifier stored in the database 108. In addition each application hasa unique application key stored in the database 108. In the event thatan employee leaves an employer or a mobile computing device is lost,stolen, or compromised, the employer may disable access to a specificapplication and/or a specific mobile computing device by deleting aunique device identifier and/or a device identifier secret from thedatabase. When the unique device identifier and/or the device identifiersecret are disabled or deleted from the database 108 and the mobilecomputing device 102 executes the specific application, the specificapplication may be denied access by the RAA server 106. In thissituation, in step 316, when the RAA server 106 compares the firstdevice hash-based message authentication code with the second devicehash-based message authentication code, the device identifierinformation may be invalid and mobile computing device 102 may be deniedaccess by the RAA server 106. The first device hash-based messageauthentication code may not match the second device hash-based messageauthentication code. The employer need not resort to measures such asdeleting all data stored in memory on the mobile computing device 102,reinstalling an operating system on the mobile computing device 102,and/or restoring the mobile computing device 102 to factory settings.

According to an example embodiment, if a token expires, the user mayrefresh the token without completing the registration process again. Thetoken may expire after the time-to-live and the user interface module208 of the application 206 may display a refresh user interface on thedisplay 220 for refreshing the token. The user may populate the userinterface with refresh information (e.g., the username and the password)and the application 206 transmits refresh information (e.g., arepresentation of the username and the password) to the RAA server 106.The RAA server 106 may receive the refresh information and transmit arefreshed token to the token module 216. The refresh information mayinclude the application key, the application key secret, the deviceidentifier, and the device identifier secret, among other information.In another example embodiment, the administrator of the RAA server 106may force a user to refresh the token by forcing a timeout of the tokenusing the web-based management portal. In an even further embodiment, ifa device identifier and/or a device identifier secret are disabled bythe administrator of the RAA server 106 using the web-based managementportal, the token may not be refreshed.

FIG. 4 is a block diagram illustrating an example of a computing deviceor computer system 400 which may be used in implementing the embodimentsof the components of the network disclosed above. For example, thecomputing system 400 of FIG. 4 may be used to implement the variouscomponents of the application 206 and the RAA application 228 discussedabove. The computer system (system) includes one or more processors402-406. Processors 402-406 may include one or more internal levels ofcache (not shown) and a bus controller or bus interface unit to directinteraction with the processor bus 412. Processor bus 412, also known asthe host bus or the front side bus, may be used to couple the processors402-406 with the system interface 414. System interface 414 may beconnected to the processor bus 412 to interface other components of thesystem 400 with the processor bus 412. For example, system interface 414may include a memory controller 414 for interfacing a main memory 416with the processor bus 412. The main memory 416 typically includes oneor more memory cards and a control circuit (not shown). System interface414 may also include an input/output (I/O) interface 420 to interfaceone or more I/O bridges or I/O devices with the processor bus 412. Oneor more I/O controllers and/or I/O devices may be connected with the I/Obus 426, such as I/O controller 428 and I/O device 430, as illustrated.

I/O device 430 may also include an input device (not shown), such as analphanumeric input device, including alphanumeric and other keys forcommunicating information and/or command selections to the processors402-406. Another type of user input device includes cursor control, suchas a mouse, a trackball, or cursor direction keys for communicatingdirection information and command selections to the processors 402-406and for controlling cursor movement on the display device.

System 400 may include a dynamic storage device, referred to as mainmemory 416, or a random access memory (RAM) or other computer-readabledevices coupled to the processor bus 412 for storing information andinstructions to be executed by the processors 402-406. Main memory 416also may be used for storing temporary variables or other intermediateinformation during execution of instructions by the processors 402-406.System 400 may include a read only memory (ROM) and/or other staticstorage device coupled to the processor bus 412 for storing staticinformation and instructions for the processors 402-406. The system setforth in FIG. 4 is but one possible example of a computer system thatmay employ or be configured in accordance with aspects of the presentdisclosure.

According to one embodiment, the above techniques may be performed bycomputer system 400 in response to processor 404 executing one or moresequences of one or more instructions contained in main memory 416.These instructions may be read into main memory 416 from anothermachine-readable medium, such as a storage device. Execution of thesequences of instructions contained in main memory 416 may causeprocessors 402-406 to perform the process steps described herein. Inalternative embodiments, circuitry may be used in place of or incombination with the software instructions. Thus, embodiments of thepresent disclosure may include both hardware and software components.

A machine readable medium includes any mechanism for storing ortransmitting information in a form (e.g., software, processingapplication) readable by a machine (e.g., a computer). Such media maytake the form of, but is not limited to, non-volatile media and volatilemedia. Non-volatile media includes optical or magnetic disks. Volatilemedia includes dynamic memory, such as main memory 416. Common forms ofmachine-readable medium may include, but is not limited to, magneticstorage medium (e.g., floppy diskette); optical storage medium (e.g.,CD-ROM); magneto-optical storage medium; read only memory (ROM); randomaccess memory (RAM); erasable programmable memory (e.g., EPROM andEEPROM); flash memory; or other types of medium suitable for storingelectronic instructions.

Embodiments of the present disclosure include various steps, which aredescribed in this specification. The steps may be performed by hardwarecomponents or may be embodied in machine-executable instructions, whichmay be used to cause a general-purpose or special-purpose processorprogrammed with the instructions to perform the steps. Alternatively,the steps may be performed by a combination of hardware, software and/orfirmware.

Various modifications and additions can be made to the exemplaryembodiments discussed without departing from the scope of the presentinvention. For example, while the embodiments described above refer toparticular features, the scope of this invention also includesembodiments having different combinations of features and embodimentsthat do not include all of the described features. Accordingly, thescope of the present invention is intended to embrace all suchalternatives, modifications, and variations together with allequivalents thereof.

What is claimed is:
 1. A system, comprising: a server comprising atleast one processor to: receive a registration request, the registrationrequest comprising a representation of a username and a password; verifythe username and the password and transmit a one-time-use password;receive the one-time-use password and first device identifierinformation from a mobile computing device; receive an access requestfrom the mobile computing device comprising the representation of theusername and the password, second device identifier information, andapplication key information; verify the username, the password, thesecond device identifier information, and the application keyinformation at the server, and transmit a token to the mobile computingdevice; receive a resource request from the mobile computing devicecomprising the token and third device identifier information; verify thetoken and the third device identifier information; and transmitinformation associated with the resource request to the mobile computingdevice.
 2. The system as recited in claim 1, the at least one processorfurther to: store the first device identifier information in a memory,the first device identifier information comprising a first deviceidentifier and a first device identifier secret.
 3. The system asrecited in claim 2, wherein the second device identifier informationcomprises a second device hash-based message authentication code.
 4. Thesystem as recited in claim 3, the at least one processor further to:perform a cryptographic hash function on the first device identifier andthe first device identifier secret to obtain a first device hash-basedmessage authentication code; and compare the first device hash-basedmessage authentication code with the second hash-based messageauthentication code to verify the second device identifier information.5. The system as recited in claim 2, wherein the third device identifierinformation comprises a third device hash-based message authenticationcode.
 6. The system as recited in claim 5, the at least one processorfurther to: perform a cryptographic hash function on the first deviceidentifier and the first device identifier secret to obtain a firstdevice hash-based message authentication code; and compare the firstdevice hash-based message authentication code with the third devicehash-based message authentication code to determine that the resourcerequest is valid, wherein the information transmitted to the mobilecomputing device comprises a representation of a resource associatedwith the resource request to the mobile computing device.
 7. The systemas recited in claim 5, the at least one processor further to: perform acryptographic hash function on the first device identifier and the firstdevice identifier secret to obtain a first device hash-based messageauthentication code; and compare the first device hash-based messageauthentication code with the third hash-based message authenticationcode to determine that the resource request is invalid, wherein theinformation transmitted to the mobile computing device comprises anindication that the resource request is invalid to the mobile computingdevice.
 8. The system as recited in claim 1, wherein the application keyinformation comprises a first application hash-based messageauthentication code based on an application key and an application keysecret.
 9. The system as recited in claim 2, the at least one processorfurther to: disable at least one of the first device identifier and thefirst device identifier secret; and deny the resource request from themobile computing device.
 10. The system as recited in claim 2, the atleast one processor further to: delete at least one of the first deviceidentifier and the first device identifier secret; and deny the resourcerequest from the mobile computing device.
 11. A method, comprising:receiving, by at least one processor at a server, a registrationrequest, the registration request comprising a representation of ausername and a password; verifying, by at least one processor, theusername and the password and transmitting a one-time-use password;receiving, by the at least one processor, the one-time-use password andfirst device identifier information from a mobile computing device;receiving, by the at least one processor, an access request from themobile computing device comprising the representation of the usernameand the password, second device identifier information, and applicationkey information; verifying, by the at least one processor, the username,the password, the second device identifier information, and theapplication key information at the server, and transmitting a token tothe mobile computing device; receiving, by the at least one processor, aresource request from the mobile computing device comprising the tokenand third device identifier information; verifying the token and thethird device identifier information; and transmitting, by the at leastone processor, information associated with the resource request to themobile computing device.
 12. The method as recited in claim 11, furthercomprising: storing the first device identifier information in a memory,the first device identifier information comprising a first deviceidentifier and a first device identifier secret.
 13. The method asrecited in claim 12, wherein the second device identifier informationcomprises a second device hash-based message authentication code. 14.The method as recited in claim 13, further comprising: performing acryptographic hash function on the first device identifier and the firstdevice identifier secret to obtain a first device hash-based messageauthentication code; and comparing the first device hash-based messageauthentication code with the second hash-based message authenticationcode to verify the second device identifier information.
 15. The methodas recited in claim 12, wherein the third device identifier informationcomprises a third device hash-based message authentication code.
 16. Themethod as recited in claim 15, further comprising: performing acryptographic hash function on the first device identifier and the firstdevice identifier secret to obtain a first device hash-based messageauthentication code; and comparing the first device hash-based messageauthentication code with the third device hash-based messageauthentication code to determine that the resource request is valid,wherein transmitting the information comprises transmitting arepresentation of a resource associated with the resource request to themobile computing device.
 17. The method as recited in claim 15, furthercomprising: performing a cryptographic hash function on the first deviceidentifier and the first device identifier secret to obtain a firstdevice hash-based message authentication code; and comparing the firstdevice hash-based message authentication code with the third hash-basedmessage authentication code to determine that the resource request isinvalid, wherein transmitting the information comprises transmitting anindication that the resource request is invalid to the mobile computingdevice.
 18. The method as recited in claim 12, further comprising:disabling at least one of the first device identifier and the firstdevice identifier secret; and denying the resource request from themobile computing device.
 19. The method as recited in claim 12, furthercomprising: deleting at least one of the first device identifier and thefirst device identifier secret; and denying the resource request fromthe mobile computing device.
 20. A non-transitory computer-readablemedium having instructions stored thereon that, when executed by atleast one processor, cause the at least one processor to performoperations comprising: receiving a registration request at a server, theregistration request comprising a representation of a username and apassword; verifying the username and the password and transmitting aone-time-use password; receiving the one-time-use password and firstdevice identifier information from a mobile computing device; receivingan access request from the mobile computing device comprising therepresentation of the username and the password, second deviceidentifier information, and application key information; verifying theusername, the password, the second device identifier information, andthe application key information at the server, and transmitting a tokento the mobile computing device; receiving a resource request from themobile computing device comprising the token and third device identifierinformation; verifying the token and the third device identifierinformation; and transmitting information associated with the resourcerequest to the mobile computing device.